Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 23:35

General

  • Target

    914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe

  • Size

    212KB

  • MD5

    f57c2b72ee75c357a12ce03a08be95b8

  • SHA1

    c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249

  • SHA256

    914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2

  • SHA512

    59123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da

  • SSDEEP

    3072:qeJLLpTnq5URrqNqYd31LgpI01TEr4J6anBbkPzHM38ad:zLLpThR4qYh1UG01TEr4nWw38s

Malware Config

Extracted

Family

amadey

Version

3.50

Botnet

0237fa

C2

http://193.56.146.194

Attributes
  • install_dir

    50c1695437

  • install_file

    rovwer.exe

  • strings_key

    b6d412dd2efdf33d84e939e52040748f

  • url_paths

    /h49vlBP/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe
    "C:\Users\Admin\AppData\Local\Temp\914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2424
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AD2D7D5C-AB79-4F96-80A0-BFA4E6AC2EB1} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      2⤵
      • Executes dropped EXE
      PID:1728
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      2⤵
      • Executes dropped EXE
      PID:956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\692679935401

    Filesize

    77KB

    MD5

    a92aae607bde28707e1d8d1a6b4c57bd

    SHA1

    1d2396b52db0c6b9f75991ee7245348c2c46a072

    SHA256

    5d0947ea515b7aabb8f0bd8dfdb4c69c7e22d483c3f9e679c73b0e7e980a6170

    SHA512

    262e38e0df1549822764ab091558697feed238193836f551b4fde3a63e7fc0db83b9b8f34d30c9d29152cc8168ceda31d180b13bb8791f0570f0266fd44d1051

  • \Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

    Filesize

    212KB

    MD5

    f57c2b72ee75c357a12ce03a08be95b8

    SHA1

    c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249

    SHA256

    914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2

    SHA512

    59123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da

  • memory/956-52-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1728-43-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1976-39-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1976-18-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1976-19-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1976-25-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1976-38-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/1976-46-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/2356-15-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/2356-16-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2356-3-0x0000000000690000-0x0000000000790000-memory.dmp

    Filesize

    1024KB

  • memory/2356-4-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2356-5-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB

  • memory/2628-29-0x0000000000400000-0x000000000059A000-memory.dmp

    Filesize

    1.6MB